MIUI Wifi Connection Message Vulnerability

2014-10-14T00:00:00
ID SECURITYVULNS:DOC:31208
Type securityvulns
Reporter Securityvulns
Modified 2014-10-14T00:00:00

Description

MIUI Wifi Connection Message Vulnerability

I. Summary Wifi Connection Message is written to a NFC tag, which can be touched by a NFC mobile phone for connecting wireless AP

automatically. A logic flaw has been found in MIUI that is a Android ROM. The flaw can be used to turn on wifi, with the

help of "wifihandover"(https://play.google.com/store/apps/details?id=net.endflow.apps.wifiho) or "NFC Tag

Assistant"(http://app.mi.com/detail/43940).

II. Description According to the NFC Wifi Connection Message Specification, construct a message as follow. D2 17 45 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 77 66 61 2E 77 73 63 10 4A 00 01 10 10 0E 00 3C 10 26 00 01 01 10 45 00 04 55 43 41 53 10 03 00 02 00 20 10 0F 00 02 00 08 10 27 00 10 5B 0F A0 A8 11 2B 5B EF F0 C2 10 3E D6 91 5C B1 10 20 00 06 88 32 9B 57 F1 CC FF FF 00 01 02

Then write the message to NFC tag. For the reason MIUI 5.30(a Android ROM)don't process wifi message,"wifihandover" or

"NFC Tag Assistant" should be installed in the tested phone. Touch the NFC tag with a smart phone with Samsung GT-I9300

(installed with MIUI 5.30, an Android ROM), wifi will be turned on automatically, regardless of whether wifi connection

succeeds or not.

III. Impact This bug cause wifi connection turned on automatically


IV. Affected MIUI 4.1.17/5.30 other versions we don't test.


V. Solution modify the source codes about Wifi connection message processing strategy.